April 22, 2016

The Federal Trade Commission (FTC), in partnership with other federal agencies, has released an online tool that provides developers legal guidance for the creation of mobile health applications (apps). Companies that are developing mobile health applications should refer to the guide as a starting point for determining the type of security features they want and/or need to design into their app.

"Mobile app developers need clear information about the laws that apply to their health-related products," said Jessica Rich, director of the FTC's Bureau of Consumer Protection. "By working with our partner agencies, we're helping these businesses build apps that comply with the law and provide more protection for consumers." The FTC's partners include the Office of the National Coordinator for Health Information Technology (ONC), the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, and the U.S. Food and Drug Administration.

The FTC guidance is a follow-on tool to the National Institute of Standards and Technology (NIST) step-by-step practice guide on protecting medical information stored in and shared between mobile devices, which we discussed in an alert last August.

The FTC's online tool is an interactive website that asks developers a series of questions about the functionality of their application and, based on the responses, guides the developer to design within the parameters of health care security regulations

Similar to the NIST practice guide, the FTC's online tool is primarily geared toward ONC professionals and application developers rather than consumers or business owners. In public statements, the FTC has stated, "the guidance is designed to help developers figure out which of a wide array of potentially applicable laws and regulations, including the FTC Act, the FTC's Health Breach Notification Rule, the Health Insurance Portability and Accountability Act and the Federal Food, Drug and Cosmetics Act, may govern their applications."

The FTC simultaneously released its own business guidance aimed at helping developers design privacy and security features into their apps. The FTC's business guidance describes best practices with respect to:

minimizing data collection and retention;

limiting access to data to avoid unnecessary risks of breach; and

understanding third-party interactions with mobile data and how to approach designing practical, and legally required security functions in a mobile app.

The rules and regulations governing mobile health technology and mobile apps are broad and affect almost all businesses that are in or tangential to the health care industry. For example, the privacy, security, and breach notification rules issued under the Health Insurance Portability and Accountability Act (HIPAA) apply to mobile health apps that are developed by a HIPAA-covered entity (such as a health care provider or health plan) or by business associates who create, receive, transmit, or maintain protected health information on behalf of a HIPAA-covered entity.

Compliance with the applicable rules and regulations is not the only reason that mobile health care developers should use the FTC's new tool. According to the Institute for Critical Infrastructure Technology, "the health care sector is the most targeted and plagued by perpetual persistent attacks from numerous unknown malicious hackers." According to HHS, these attacks and security breaches generally cost health care organizations millions of dollars to manage and remedy.

HHS put together a database of health care breaches over the past decade that affected 500 or more individuals. It shows there were more than 250 breaches involving mobile health data security in 2015. Further, it shows that unlike the data security breaches of the past, which involved theft or loss of paper medical records or computers, the type of breaches that are occurring now are primarily incidents of "Hacking/IT" and "Unauthorized Access/Disclosure." HHS has reported that it expects an increase in data security breaches among health care organizations in 2016.

The FTC's release of this online tool and the accompanying business guidance suggests that the agency will increase its scrutiny of health care developers and organizations. Though the FTC boasts that the tool will help developers navigate complex regulatory questions and develop more secure applications, it does not answer all questions and falls short in terms of helping developers understand the varied and fragmented laws and regulations governing the health care industry. To ensure compliance with applicable rules and regulations, health care developers and organizations should consult Ballard Spahr's health care and privacy and data security attorneys regarding the development and deployment of mobile health products and services.

Ballard Spahr's Privacy and Data Group provides the full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.